We already use OAuth and we don't have an authentication key baked into the software (like 'that other app does), so if they pull a user's key it is only that user who suffers. We're also not in any way replicating what twitter does - all we do is feed content to twitter. So we're good.